Branch data Line data Source code
1 : : /* cred.c --- Implementation of GSS-API Credential Management functions.
2 : : * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009, 2010 Simon Josefsson
3 : : *
4 : : * This file is part of the Generic Security Service (GSS).
5 : : *
6 : : * GSS is free software; you can redistribute it and/or modify it
7 : : * under the terms of the GNU General Public License as published by
8 : : * the Free Software Foundation; either version 3 of the License, or
9 : : * (at your option) any later version.
10 : : *
11 : : * GSS is distributed in the hope that it will be useful, but WITHOUT
12 : : * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 : : * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
14 : : * License for more details.
15 : : *
16 : : * You should have received a copy of the GNU General Public License
17 : : * along with GSS; if not, see http://www.gnu.org/licenses or write to
18 : : * the Free Software Foundation, Inc., 51 Franklin Street, Fifth
19 : : * Floor, Boston, MA 02110-1301, USA.
20 : : *
21 : : */
22 : :
23 : : #include "internal.h"
24 : :
25 : : /* _gss_find_mech */
26 : : #include "meta.h"
27 : :
28 : : /**
29 : : * gss_acquire_cred:
30 : : * @minor_status: (integer, modify) Mechanism specific status code.
31 : : * @desired_name: (gss_name_t, read) Name of principal whose
32 : : * credential should be acquired.
33 : : * @time_req: (Integer, read, optional) Number of seconds that
34 : : * credentials should remain valid. Specify GSS_C_INDEFINITE to
35 : : * request that the credentials have the maximum permitted lifetime.
36 : : * @desired_mechs: (Set of Object IDs, read, optional) Set of
37 : : * underlying security mechanisms that may be used.
38 : : * GSS_C_NO_OID_SET may be used to obtain an implementation-specific
39 : : * default.
40 : : * @cred_usage: (gss_cred_usage_t, read) GSS_C_BOTH - Credentials may
41 : : * be used either to initiate or accept security contexts.
42 : : * GSS_C_INITIATE - Credentials will only be used to initiate
43 : : * security contexts. GSS_C_ACCEPT - Credentials will only be used
44 : : * to accept security contexts.
45 : : * @output_cred_handle: (gss_cred_id_t, modify) The returned
46 : : * credential handle. Resources associated with this credential
47 : : * handle must be released by the application after use with a call
48 : : * to gss_release_cred().
49 : : * @actual_mechs: (Set of Object IDs, modify, optional) The set of
50 : : * mechanisms for which the credential is valid. Storage associated
51 : : * with the returned OID-set must be released by the application
52 : : * after use with a call to gss_release_oid_set(). Specify NULL if
53 : : * not required.
54 : : * @time_rec: (Integer, modify, optional) Actual number of seconds for
55 : : * which the returned credentials will remain valid. If the
56 : : * implementation does not support expiration of credentials, the
57 : : * value GSS_C_INDEFINITE will be returned. Specify NULL if not
58 : : * required.
59 : : *
60 : : * Allows an application to acquire a handle for a pre-existing
61 : : * credential by name. GSS-API implementations must impose a local
62 : : * access-control policy on callers of this routine to prevent
63 : : * unauthorized callers from acquiring credentials to which they are
64 : : * not entitled. This routine is not intended to provide a "login to
65 : : * the network" function, as such a function would involve the
66 : : * creation of new credentials rather than merely acquiring a handle
67 : : * to existing credentials. Such functions, if required, should be
68 : : * defined in implementation-specific extensions to the API.
69 : : *
70 : : * If desired_name is GSS_C_NO_NAME, the call is interpreted as a
71 : : * request for a credential handle that will invoke default behavior
72 : : * when passed to gss_init_sec_context() (if cred_usage is
73 : : * GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if
74 : : * cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).
75 : : *
76 : : * Mechanisms should honor the desired_mechs parameter, and return a
77 : : * credential that is suitable to use only with the requested
78 : : * mechanisms. An exception to this is the case where one underlying
79 : : * credential element can be shared by multiple mechanisms; in this
80 : : * case it is permissible for an implementation to indicate all
81 : : * mechanisms with which the credential element may be used. If
82 : : * desired_mechs is an empty set, behavior is undefined.
83 : : *
84 : : * This routine is expected to be used primarily by context acceptors,
85 : : * since implementations are likely to provide mechanism-specific ways
86 : : * of obtaining GSS-API initiator credentials from the system login
87 : : * process. Some implementations may therefore not support the
88 : : * acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
89 : : * gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name
90 : : * produced by applying either gss_inquire_cred to a valid credential,
91 : : * or gss_inquire_context to an active context.
92 : : *
93 : : * If credential acquisition is time-consuming for a mechanism, the
94 : : * mechanism may choose to delay the actual acquisition until the
95 : : * credential is required (e.g. by gss_init_sec_context or
96 : : * gss_accept_sec_context). Such mechanism-specific implementation
97 : : * decisions should be invisible to the calling application; thus a
98 : : * call of gss_inquire_cred immediately following the call of
99 : : * gss_acquire_cred must return valid credential data, and may
100 : : * therefore incur the overhead of a deferred credential acquisition.
101 : : *
102 : : * Return value:
103 : : *
104 : : * `GSS_S_COMPLETE`: Successful completion.
105 : : *
106 : : * `GSS_S_BAD_MECH`: Unavailable mechanism requested.
107 : : *
108 : : * `GSS_S_BAD_NAMETYPE`: Type contained within desired_name parameter
109 : : * is not supported.
110 : : *
111 : : * `GSS_S_BAD_NAME`: Value supplied for desired_name parameter is ill
112 : : * formed.
113 : : *
114 : : * `GSS_S_CREDENTIALS_EXPIRED`: The credentials could not be acquired
115 : : * Because they have expired.
116 : : *
117 : : * `GSS_S_NO_CRED`: No credentials were found for the specified name.
118 : : **/
119 : : OM_uint32
120 : 1 : gss_acquire_cred (OM_uint32 * minor_status,
121 : : const gss_name_t desired_name,
122 : : OM_uint32 time_req,
123 : : const gss_OID_set desired_mechs,
124 : : gss_cred_usage_t cred_usage,
125 : : gss_cred_id_t * output_cred_handle,
126 : : gss_OID_set * actual_mechs, OM_uint32 * time_rec)
127 : : {
128 : 1 : _gss_mech_api_t mech = NULL;
129 : : OM_uint32 maj_stat;
130 : :
131 [ - + ]: 1 : if (!output_cred_handle)
132 : 0 : return GSS_S_NO_CRED | GSS_S_CALL_INACCESSIBLE_WRITE;
133 : :
134 [ - + ]: 1 : if (desired_mechs != GSS_C_NO_OID_SET)
135 : : {
136 : : size_t i;
137 : :
138 : : /* Is the desired_mechs an OR or AND list? I.e., if the OID set
139 : : contain several OIDs, MUST the credential work with all of
140 : : them? Or just any of them? The specification isn't entirely
141 : : clear on this, to me. This implement an OR list, chosing the
142 : : first mechanism in the OID set we support. We need more
143 : : information in meta.c to implement AND lists. */
144 : :
145 [ # # ][ # # ]: 0 : for (i = 0; mech == NULL && i < desired_mechs->count; i++)
146 : 0 : mech = _gss_find_mech ((&desired_mechs->elements)[i]);
147 : : }
148 : : else
149 : 1 : mech = _gss_find_mech (GSS_C_NO_OID);
150 : :
151 [ - + ]: 1 : if (mech == NULL)
152 : : {
153 [ # # ]: 0 : if (minor_status)
154 : 0 : *minor_status = 0;
155 : 0 : return GSS_S_BAD_MECH;
156 : : }
157 : :
158 : 1 : *output_cred_handle = calloc (sizeof (**output_cred_handle), 1);
159 [ - + ]: 1 : if (!*output_cred_handle)
160 : : {
161 [ # # ]: 0 : if (minor_status)
162 : 0 : *minor_status = ENOMEM;
163 : 0 : return GSS_S_FAILURE;
164 : : }
165 : 1 : (*output_cred_handle)->mech = mech->mech;
166 : :
167 : 1 : maj_stat = mech->acquire_cred (minor_status,
168 : : desired_name,
169 : : time_req,
170 : : desired_mechs,
171 : : cred_usage,
172 : : output_cred_handle, actual_mechs, time_rec);
173 [ - + ]: 1 : if (GSS_ERROR (maj_stat))
174 : : {
175 : 0 : free (*output_cred_handle);
176 : 0 : *output_cred_handle = GSS_C_NO_CREDENTIAL;
177 : 0 : return maj_stat;
178 : : }
179 : :
180 : 1 : return GSS_S_COMPLETE;
181 : : }
182 : :
183 : : /**
184 : : * gss_add_cred:
185 : : * @minor_status: (integer, modify) Mechanism specific status code.
186 : : * @input_cred_handle: (gss_cred_id_t, read, optional) The credential
187 : : * to which a credential-element will be added. If
188 : : * GSS_C_NO_CREDENTIAL is specified, the routine will compose the
189 : : * new credential based on default behavior (see text).
190 : : * Note that, while the credential-handle is not modified by
191 : : * gss_add_cred(), the underlying credential will be modified if
192 : : * output_credential_handle is NULL.
193 : : * @desired_name: (gss_name_t, read.) Name of principal whose
194 : : * credential should be acquired.
195 : : * @desired_mech: (Object ID, read) Underlying security mechanism with
196 : : * which the credential may be used.
197 : : * @cred_usage: (gss_cred_usage_t, read) GSS_C_BOTH - Credential may
198 : : * be used either to initiate or accept security contexts.
199 : : * GSS_C_INITIATE - Credential will only be used to initiate
200 : : * security contexts. GSS_C_ACCEPT - Credential will only be used
201 : : * to accept security contexts.
202 : : * @initiator_time_req: (Integer, read, optional) number of seconds
203 : : * that the credential should remain valid for initiating security
204 : : * contexts. This argument is ignored if the composed credentials
205 : : * are of type GSS_C_ACCEPT. Specify GSS_C_INDEFINITE to request
206 : : * that the credentials have the maximum permitted initiator
207 : : * lifetime.
208 : : * @acceptor_time_req: (Integer, read, optional) number of seconds
209 : : * that the credential should remain valid for accepting security
210 : : * contexts. This argument is ignored if the composed credentials
211 : : * are of type GSS_C_INITIATE. Specify GSS_C_INDEFINITE to request
212 : : * that the credentials have the maximum permitted initiator
213 : : * lifetime.
214 : : * @output_cred_handle: (gss_cred_id_t, modify, optional) The returned
215 : : * credential handle, containing the new credential-element and all
216 : : * the credential-elements from input_cred_handle. If a valid
217 : : * pointer to a gss_cred_id_t is supplied for this parameter,
218 : : * gss_add_cred creates a new credential handle containing all
219 : : * credential-elements from the input_cred_handle and the newly
220 : : * acquired credential-element; if NULL is specified for this
221 : : * parameter, the newly acquired credential-element will be added to
222 : : * the credential identified by input_cred_handle. The resources
223 : : * associated with any credential handle returned via this parameter
224 : : * must be released by the application after use with a call to
225 : : * gss_release_cred().
226 : : * @actual_mechs: (Set of Object IDs, modify, optional) The complete
227 : : * set of mechanisms for which the new credential is valid. Storage
228 : : * for the returned OID-set must be freed by the application after
229 : : * use with a call to gss_release_oid_set(). Specify NULL if not
230 : : * required.
231 : : * @initiator_time_rec: (Integer, modify, optional) Actual number of
232 : : * seconds for which the returned credentials will remain valid for
233 : : * initiating contexts using the specified mechanism. If the
234 : : * implementation or mechanism does not support expiration of
235 : : * credentials, the value GSS_C_INDEFINITE will be returned. Specify
236 : : * NULL if not required
237 : : * @acceptor_time_rec: (Integer, modify, optional) Actual number of
238 : : * seconds for which the returned credentials will remain valid for
239 : : * accepting security contexts using the specified mechanism. If
240 : : * the implementation or mechanism does not support expiration of
241 : : * credentials, the value GSS_C_INDEFINITE will be returned. Specify
242 : : * NULL if not required
243 : : *
244 : : * Adds a credential-element to a credential. The credential-element is
245 : : * identified by the name of the principal to which it refers. GSS-API
246 : : * implementations must impose a local access-control policy on callers
247 : : * of this routine to prevent unauthorized callers from acquiring
248 : : * credential-elements to which they are not entitled. This routine is
249 : : * not intended to provide a "login to the network" function, as such a
250 : : * function would involve the creation of new mechanism-specific
251 : : * authentication data, rather than merely acquiring a GSS-API handle to
252 : : * existing data. Such functions, if required, should be defined in
253 : : * implementation-specific extensions to the API.
254 : : *
255 : : * If desired_name is GSS_C_NO_NAME, the call is interpreted as a
256 : : * request to add a credential element that will invoke default behavior
257 : : * when passed to gss_init_sec_context() (if cred_usage is
258 : : * GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if
259 : : * cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).
260 : : *
261 : : * This routine is expected to be used primarily by context acceptors,
262 : : * since implementations are likely to provide mechanism-specific ways
263 : : * of obtaining GSS-API initiator credentials from the system login
264 : : * process. Some implementations may therefore not support the
265 : : * acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
266 : : * gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name
267 : : * produced by applying either gss_inquire_cred to a valid credential,
268 : : * or gss_inquire_context to an active context.
269 : : *
270 : : * If credential acquisition is time-consuming for a mechanism, the
271 : : * mechanism may choose to delay the actual acquisition until the
272 : : * credential is required (e.g. by gss_init_sec_context or
273 : : * gss_accept_sec_context). Such mechanism-specific implementation
274 : : * decisions should be invisible to the calling application; thus a call
275 : : * of gss_inquire_cred immediately following the call of gss_add_cred
276 : : * must return valid credential data, and may therefore incur the
277 : : * overhead of a deferred credential acquisition.
278 : : *
279 : : * This routine can be used to either compose a new credential
280 : : * containing all credential-elements of the original in addition to the
281 : : * newly-acquire credential-element, or to add the new credential-
282 : : * element to an existing credential. If NULL is specified for the
283 : : * output_cred_handle parameter argument, the new credential-element
284 : : * will be added to the credential identified by input_cred_handle; if a
285 : : * valid pointer is specified for the output_cred_handle parameter, a
286 : : * new credential handle will be created.
287 : : *
288 : : * If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle,
289 : : * gss_add_cred will compose a credential (and set the
290 : : * output_cred_handle parameter accordingly) based on default behavior.
291 : : * That is, the call will have the same effect as if the application had
292 : : * first made a call to gss_acquire_cred(), specifying the same usage
293 : : * and passing GSS_C_NO_NAME as the desired_name parameter to obtain an
294 : : * explicit credential handle embodying default behavior, passed this
295 : : * credential handle to gss_add_cred(), and finally called
296 : : * gss_release_cred() on the first credential handle.
297 : : *
298 : : * If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle
299 : : * parameter, a non-NULL output_cred_handle must be supplied.
300 : : *
301 : : * Return value:
302 : : *
303 : : * `GSS_S_COMPLETE`: Successful completion.
304 : : *
305 : : * `GSS_S_BAD_MECH`: Unavailable mechanism requested.
306 : : *
307 : : * `GSS_S_BAD_NAMETYPE`: Type contained within desired_name parameter
308 : : * is not supported.
309 : : *
310 : : * `GSS_S_BAD_NAME`: Value supplied for desired_name parameter is
311 : : * ill-formed.
312 : : *
313 : : * `GSS_S_DUPLICATE_ELEMENT`: The credential already contains an
314 : : * element for the requested mechanism with overlapping usage and
315 : : * validity period.
316 : : *
317 : : * `GSS_S_CREDENTIALS_EXPIRED`: The required credentials could not be
318 : : * added because they have expired.
319 : : *
320 : : * `GSS_S_NO_CRED`: No credentials were found for the specified name.
321 : : **/
322 : : OM_uint32
323 : 0 : gss_add_cred (OM_uint32 * minor_status,
324 : : const gss_cred_id_t input_cred_handle,
325 : : const gss_name_t desired_name,
326 : : const gss_OID desired_mech,
327 : : gss_cred_usage_t cred_usage,
328 : : OM_uint32 initiator_time_req,
329 : : OM_uint32 acceptor_time_req,
330 : : gss_cred_id_t * output_cred_handle,
331 : : gss_OID_set * actual_mechs,
332 : : OM_uint32 * initiator_time_rec, OM_uint32 * acceptor_time_rec)
333 : : {
334 : 0 : return GSS_S_UNAVAILABLE;
335 : : }
336 : :
337 : : /**
338 : : * gss_inquire_cred:
339 : : * @minor_status: (integer, modify) Mechanism specific status code.
340 : : * @cred_handle: (gss_cred_id_t, read) A handle that refers to the
341 : : * target credential. Specify GSS_C_NO_CREDENTIAL to inquire about
342 : : * the default initiator principal.
343 : : * @name: (gss_name_t, modify, optional) The name whose identity the
344 : : * credential asserts. Storage associated with this name should be
345 : : * freed by the application after use with a call to
346 : : * gss_release_name(). Specify NULL if not required.
347 : : * @lifetime: (Integer, modify, optional) The number of seconds for
348 : : * which the credential will remain valid. If the credential has
349 : : * expired, this parameter will be set to zero. If the
350 : : * implementation does not support credential expiration, the value
351 : : * GSS_C_INDEFINITE will be returned. Specify NULL if not required.
352 : : * @cred_usage: (gss_cred_usage_t, modify, optional) How the
353 : : * credential may be used. One of the following: GSS_C_INITIATE,
354 : : * GSS_C_ACCEPT, GSS_C_BOTH. Specify NULL if not required.
355 : : * @mechanisms: (gss_OID_set, modify, optional) Set of mechanisms
356 : : * supported by the credential. Storage associated with this OID
357 : : * set must be freed by the application after use with a call to
358 : : * gss_release_oid_set(). Specify NULL if not required.
359 : : *
360 : : * Obtains information about a credential.
361 : : *
362 : : * Return value:
363 : : *
364 : : * `GSS_S_COMPLETE`: Successful completion.
365 : : *
366 : : * `GSS_S_NO_CRED`: The referenced credentials could not be accessed.
367 : : *
368 : : * `GSS_S_DEFECTIVE_CREDENTIAL`: The referenced credentials were invalid.
369 : : *
370 : : * `GSS_S_CREDENTIALS_EXPIRED`: The referenced credentials have
371 : : * expired. If the lifetime parameter was not passed as NULL, it will
372 : : * be set to 0.
373 : : **/
374 : : OM_uint32
375 : 0 : gss_inquire_cred (OM_uint32 * minor_status,
376 : : const gss_cred_id_t cred_handle,
377 : : gss_name_t * name,
378 : : OM_uint32 * lifetime,
379 : : gss_cred_usage_t * cred_usage, gss_OID_set * mechanisms)
380 : : {
381 : 0 : gss_cred_id_t credh = cred_handle;
382 : : _gss_mech_api_t mech;
383 : : OM_uint32 maj_stat;
384 : :
385 [ # # ]: 0 : if (cred_handle == GSS_C_NO_CREDENTIAL)
386 : : {
387 : 0 : maj_stat = gss_acquire_cred (minor_status, GSS_C_NO_NAME,
388 : : GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
389 : : GSS_C_INITIATE, &credh, NULL, NULL);
390 [ # # ]: 0 : if (GSS_ERROR (maj_stat))
391 : 0 : return maj_stat;
392 : : }
393 : :
394 : 0 : mech = _gss_find_mech (credh->mech);
395 [ # # ]: 0 : if (mech == NULL)
396 : : {
397 [ # # ]: 0 : if (minor_status)
398 : 0 : *minor_status = 0;
399 : 0 : return GSS_S_BAD_MECH;
400 : : }
401 : :
402 : 0 : maj_stat = mech->inquire_cred (minor_status, credh, name, lifetime,
403 : : cred_usage, mechanisms);
404 : :
405 [ # # ]: 0 : if (cred_handle == GSS_C_NO_CREDENTIAL)
406 : 0 : gss_release_cred (NULL, &credh);
407 : :
408 : 0 : return maj_stat;
409 : : }
410 : :
411 : : /**
412 : : * gss_inquire_cred_by_mech:
413 : : * @minor_status: (Integer, modify) Mechanism specific status code.
414 : : * @cred_handle: (gss_cred_id_t, read) A handle that refers to the
415 : : * target credential. Specify GSS_C_NO_CREDENTIAL to inquire about
416 : : * the default initiator principal.
417 : : * @mech_type: (gss_OID, read) The mechanism for which information
418 : : * should be returned.
419 : : * @name: (gss_name_t, modify, optional) The name whose identity the
420 : : * credential asserts. Storage associated with this name must be
421 : : * freed by the application after use with a call to
422 : : * gss_release_name(). Specify NULL if not required.
423 : : * @initiator_lifetime: (Integer, modify, optional) The number of
424 : : * seconds for which the credential will remain capable of
425 : : * initiating security contexts under the specified mechanism. If
426 : : * the credential can no longer be used to initiate contexts, or if
427 : : * the credential usage for this mechanism is GSS_C_ACCEPT, this
428 : : * parameter will be set to zero. If the implementation does not
429 : : * support expiration of initiator credentials, the value
430 : : * GSS_C_INDEFINITE will be returned. Specify NULL if not required.
431 : : * @acceptor_lifetime: (Integer, modify, optional) The number of
432 : : * seconds for which the credential will remain capable of accepting
433 : : * security contexts under the specified mechanism. If the
434 : : * credential can no longer be used to accept contexts, or if the
435 : : * credential usage for this mechanism is GSS_C_INITIATE, this
436 : : * parameter will be set to zero. If the implementation does not
437 : : * support expiration of acceptor credentials, the value
438 : : * GSS_C_INDEFINITE will be returned. Specify NULL if not required.
439 : : * @cred_usage: (gss_cred_usage_t, modify, optional) How the
440 : : * credential may be used with the specified mechanism. One of the
441 : : * following: GSS_C_INITIATE, GSS_C_ACCEPT, GSS_C_BOTH. Specify NULL
442 : : * if not required.
443 : : *
444 : : * Obtains per-mechanism information about a credential.
445 : : *
446 : : * Return value:
447 : : *
448 : : * `GSS_S_COMPLETE`: Successful completion.
449 : : *
450 : : * `GSS_S_NO_CRED`: The referenced credentials could not be accessed.
451 : : *
452 : : * `GSS_S_DEFECTIVE_CREDENTIAL`: The referenced credentials were invalid.
453 : : *
454 : : * `GSS_S_CREDENTIALS_EXPIRED`: The referenced credentials have
455 : : * expired. If the lifetime parameter was not passed as NULL, it will
456 : : * be set to 0.
457 : : **/
458 : : OM_uint32
459 : 0 : gss_inquire_cred_by_mech (OM_uint32 * minor_status,
460 : : const gss_cred_id_t cred_handle,
461 : : const gss_OID mech_type,
462 : : gss_name_t * name,
463 : : OM_uint32 * initiator_lifetime,
464 : : OM_uint32 * acceptor_lifetime,
465 : : gss_cred_usage_t * cred_usage)
466 : : {
467 : : _gss_mech_api_t mech;
468 : 0 : gss_cred_id_t credh = cred_handle;
469 : : OM_uint32 maj_stat;
470 : :
471 [ # # ]: 0 : if (mech_type == GSS_C_NO_OID)
472 : : {
473 [ # # ]: 0 : if (minor_status)
474 : 0 : *minor_status = 0;
475 : 0 : return GSS_S_BAD_MECH;
476 : : }
477 : :
478 : 0 : mech = _gss_find_mech (mech_type);
479 [ # # ]: 0 : if (mech == NULL)
480 : : {
481 [ # # ]: 0 : if (minor_status)
482 : 0 : *minor_status = 0;
483 : 0 : return GSS_S_BAD_MECH;
484 : : }
485 : :
486 [ # # ]: 0 : if (cred_handle == GSS_C_NO_CREDENTIAL)
487 : : {
488 : 0 : maj_stat = gss_acquire_cred (minor_status,
489 : : GSS_C_NO_NAME, GSS_C_INDEFINITE,
490 : : /* FIXME: We should create an OID
491 : : set with mech_type and pass it
492 : : as desired_mechs. Maybe even
493 : : check actual_mechs too. */
494 : : GSS_C_NO_OID_SET,
495 : : GSS_C_INITIATE, &credh, NULL, NULL);
496 [ # # ]: 0 : if (GSS_ERROR (maj_stat))
497 : 0 : return maj_stat;
498 : : }
499 : :
500 : 0 : maj_stat = mech->inquire_cred_by_mech (minor_status, credh, mech_type, name,
501 : : initiator_lifetime,
502 : : acceptor_lifetime, cred_usage);
503 : :
504 [ # # ]: 0 : if (cred_handle == GSS_C_NO_CREDENTIAL)
505 : 0 : gss_release_cred (NULL, &credh);
506 : :
507 : 0 : return maj_stat;
508 : : }
509 : :
510 : : /**
511 : : * gss_release_cred:
512 : : * @minor_status: (Integer, modify) Mechanism specific status code.
513 : : * @cred_handle: (gss_cred_id_t, modify, optional) Opaque handle
514 : : * identifying credential to be released. If GSS_C_NO_CREDENTIAL is
515 : : * supplied, the routine will complete successfully, but will do
516 : : * nothing.
517 : : *
518 : : * Informs GSS-API that the specified credential handle is no longer
519 : : * required by the application, and frees associated resources. The
520 : : * cred_handle is set to GSS_C_NO_CREDENTIAL on successful completion
521 : : * of this call.
522 : : *
523 : : * Return value:
524 : : *
525 : : * `GSS_S_COMPLETE`: Successful completion.
526 : : *
527 : : * `GSS_S_NO_CRED`: Credentials could not be accessed.
528 : : **/
529 : : OM_uint32
530 : 1 : gss_release_cred (OM_uint32 * minor_status, gss_cred_id_t * cred_handle)
531 : : {
532 : : _gss_mech_api_t mech;
533 : : OM_uint32 maj_stat;
534 : :
535 [ - + ]: 1 : if (!cred_handle)
536 : : {
537 [ # # ]: 0 : if (minor_status)
538 : 0 : *minor_status = 0;
539 : 0 : return GSS_S_NO_CRED | GSS_S_CALL_INACCESSIBLE_READ;
540 : : }
541 : :
542 [ - + ]: 1 : if (*cred_handle == GSS_C_NO_CREDENTIAL)
543 : : {
544 [ # # ]: 0 : if (minor_status)
545 : 0 : *minor_status = 0;
546 : 0 : return GSS_S_COMPLETE;
547 : : }
548 : :
549 : 1 : mech = _gss_find_mech ((*cred_handle)->mech);
550 [ - + ]: 1 : if (mech == NULL)
551 : : {
552 [ # # ]: 0 : if (minor_status)
553 : 0 : *minor_status = 0;
554 : 0 : return GSS_S_DEFECTIVE_CREDENTIAL;
555 : : }
556 : :
557 : 1 : maj_stat = mech->release_cred (minor_status, cred_handle);
558 : 1 : free (*cred_handle);
559 : 1 : *cred_handle = GSS_C_NO_CREDENTIAL;
560 [ - + ]: 1 : if (GSS_ERROR (maj_stat))
561 : 0 : return maj_stat;
562 : :
563 : 1 : return GSS_S_COMPLETE;
564 : : }
|
