OM_uint32 GSSAPI_CALLCONV _gsskrb5_store_cred(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, gss_cred_usage_t cred_usage, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored) { krb5_context context; krb5_error_code ret; gsskrb5_cred cred; krb5_ccache id = NULL; krb5_ccache def_ccache = NULL; const char *def_type = NULL; time_t exp_current; time_t exp_new; *minor_status = 0; if (cred_usage != GSS_C_INITIATE) { *minor_status = GSS_KRB5_S_G_BAD_USAGE; return GSS_S_FAILURE; } if (desired_mech != GSS_C_NO_OID && gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) return GSS_S_BAD_MECH; cred = (gsskrb5_cred)input_cred_handle; if (cred == NULL) return GSS_S_NO_CRED; GSSAPI_KRB5_INIT (&context); HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = GSS_KRB5_S_G_BAD_USAGE; return GSS_S_FAILURE; } ret = krb5_cc_get_lifetime(context, cred->ccache, &exp_new); if (ret) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = ret; return GSS_S_NO_CRED; } if (cred->principal == NULL) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = GSS_KRB5_S_KG_TGT_MISSING; return GSS_S_FAILURE; } ret = krb5_cc_default(context, &def_ccache); if (ret == 0) { def_type = krb5_cc_get_type(context, def_ccache); krb5_cc_close(context, def_ccache); } def_ccache = NULL; /* write out cred to credential cache */ ret = krb5_cc_cache_match(context, cred->principal, &id); if (ret) { if (default_cred) { ret = krb5_cc_default(context, &id); if (ret) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = ret; return GSS_S_FAILURE; } } else { if (def_type == NULL || !krb5_cc_support_switch(context, def_type)) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = 0; /* XXX */ return GSS_S_NO_CRED; /* XXX */ } ret = krb5_cc_new_unique(context, def_type, NULL, &id); if (ret) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = ret; return GSS_S_FAILURE; } overwrite_cred = 1; } } if (!overwrite_cred) { /* If current creds are expired or near it, overwrite */ ret = krb5_cc_get_lifetime(context, id, &exp_current); if (ret != 0 || exp_new > exp_current) overwrite_cred = 1; } if (!overwrite_cred) { /* Nothing to do */ krb5_cc_close(context, id); HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = 0; return GSS_S_DUPLICATE_ELEMENT; } ret = krb5_cc_initialize(context, id, cred->principal); if (ret == 0) ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL); if (ret) { krb5_cc_close(context, id); HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = ret; return(GSS_S_FAILURE); } if (default_cred && def_type != NULL && krb5_cc_support_switch(context, def_type)) krb5_cc_switch(context, id); krb5_cc_close(context, id); HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = 0; return GSS_S_COMPLETE; }
OM_uint32 GSSAPI_CALLCONV _gsskrb5_store_cred(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, gss_cred_usage_t cred_usage, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored) { krb5_context context; krb5_error_code ret; gsskrb5_cred cred; krb5_ccache id; int destroy = 0; *minor_status = 0; if (cred_usage != GSS_C_INITIATE) { *minor_status = GSS_KRB5_S_G_BAD_USAGE; return GSS_S_FAILURE; } if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) return GSS_S_BAD_MECH; cred = (gsskrb5_cred)input_cred_handle; if (cred == NULL) return GSS_S_NO_CRED; GSSAPI_KRB5_INIT (&context); HEIMDAL_MUTEX_lock(&cred->cred_id_mutex); if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = GSS_KRB5_S_G_BAD_USAGE; return(GSS_S_FAILURE); } if (cred->principal == NULL) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = GSS_KRB5_S_KG_TGT_MISSING; return(GSS_S_FAILURE); } /* write out cred to credential cache */ ret = krb5_cc_cache_match(context, cred->principal, &id); if (ret) { ret = krb5_cc_new_unique(context, NULL, NULL, &id); if (ret) { HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = ret; return(GSS_S_FAILURE); } destroy = 1; } ret = krb5_cc_initialize(context, id, cred->principal); if (ret == 0) ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL); if (ret) { if (destroy) krb5_cc_destroy(context, id); else krb5_cc_close(context, id); HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = ret; return(GSS_S_FAILURE); } if (default_cred) krb5_cc_switch(context, id); krb5_cc_close(context, id); HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); *minor_status = 0; return GSS_S_COMPLETE; }
int main(int argc, char **argv) { krb5_error_code ret; krb5_context context; int optidx = 0; const char *from_name, *to_name; krb5_ccache from_ccache, to_ccache; unsigned int matched; struct ctx ctx; setprogname(argv[0]); memset(&ctx, 0, sizeof(ctx)); if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); if (help_flag) usage(0); if (version_flag) { print_version(NULL); exit(0); } argc -= optidx; argv += optidx; if (argc < 1 || argc > 2) usage(1); if (krb5_init_context(&context)) errx(1, "krb5_init_context failed"); if (service_string) { ret = krb5_parse_name(context, service_string, &ctx.mcreds.server); if (ret) krb5_err(context, 1, ret, "%s", service_string); } if (enctype_string) { krb5_enctype enctype; ret = krb5_string_to_enctype(context, enctype_string, &enctype); if (ret) krb5_err(context, 1, ret, "%s", enctype_string); ctx.whichfields |= KRB5_TC_MATCH_KEYTYPE; ctx.mcreds.session.keytype = enctype; } if (flags_string) { parse_ticket_flags(context, flags_string, &ctx.mcreds.flags); ctx.whichfields |= KRB5_TC_MATCH_FLAGS; } if (valid_string) { time_t t = parse_time(valid_string, "s"); if(t < 0) errx(1, "unknown time \"%s\"", valid_string); ctx.mcreds.times.endtime = time(NULL) + t; ctx.whichfields |= KRB5_TC_MATCH_TIMES; } if (fcache_version) krb5_set_fcache_version(context, fcache_version); if (argc == 1) { from_name = krb5_cc_default_name(context); to_name = argv[0]; } else { from_name = argv[0]; to_name = argv[1]; } ret = krb5_cc_resolve(context, from_name, &from_ccache); if (ret) krb5_err(context, 1, ret, "%s", from_name); if (krbtgt_only_flag) { krb5_principal client; ret = krb5_cc_get_principal(context, from_ccache, &client); if (ret) krb5_err(context, 1, ret, "getting default principal"); ret = krb5_make_principal(context, &ctx.mcreds.server, krb5_principal_get_realm(context, client), KRB5_TGS_NAME, krb5_principal_get_realm(context, client), NULL); if (ret) krb5_err(context, 1, ret, "constructing krbtgt principal"); krb5_free_principal(context, client); } ret = krb5_cc_resolve(context, to_name, &to_ccache); if (ret) krb5_err(context, 1, ret, "%s", to_name); ret = krb5_cc_copy_match_f(context, from_ccache, to_ccache, matchfunc, &ctx, &matched); if (ret) krb5_err(context, 1, ret, "copying cred cache"); krb5_cc_close(context, from_ccache); if(matched == 0) krb5_cc_destroy(context, to_ccache); else krb5_cc_close(context, to_ccache); krb5_free_context(context); return matched == 0; }