LCOV - code coverage report
Current view: top level - lib - cred.c (source / functions) Hit Total Coverage
Test: GNU Generic Security Service Lines: 22 80 27.5 %
Date: 2010-05-20 Functions: 2 5 40.0 %
Legend: Lines: hit not hit | Branches: + taken - not taken # not executed Branches: 9 56 16.1 %

           Branch data     Line data    Source code
       1                 :            : /* cred.c --- Implementation of GSS-API Credential Management functions.
       2                 :            :  * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009, 2010  Simon Josefsson
       3                 :            :  *
       4                 :            :  * This file is part of the Generic Security Service (GSS).
       5                 :            :  *
       6                 :            :  * GSS is free software; you can redistribute it and/or modify it
       7                 :            :  * under the terms of the GNU General Public License as published by
       8                 :            :  * the Free Software Foundation; either version 3 of the License, or
       9                 :            :  * (at your option) any later version.
      10                 :            :  *
      11                 :            :  * GSS is distributed in the hope that it will be useful, but WITHOUT
      12                 :            :  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
      13                 :            :  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
      14                 :            :  * License for more details.
      15                 :            :  *
      16                 :            :  * You should have received a copy of the GNU General Public License
      17                 :            :  * along with GSS; if not, see http://www.gnu.org/licenses or write to
      18                 :            :  * the Free Software Foundation, Inc., 51 Franklin Street, Fifth
      19                 :            :  * Floor, Boston, MA 02110-1301, USA.
      20                 :            :  *
      21                 :            :  */
      22                 :            : 
      23                 :            : #include "internal.h"
      24                 :            : 
      25                 :            : /* _gss_find_mech */
      26                 :            : #include "meta.h"
      27                 :            : 
      28                 :            : /**
      29                 :            :  * gss_acquire_cred:
      30                 :            :  * @minor_status: (integer, modify) Mechanism specific status code.
      31                 :            :  * @desired_name: (gss_name_t, read) Name of principal whose
      32                 :            :  *   credential should be acquired.
      33                 :            :  * @time_req: (Integer, read, optional) Number of seconds that
      34                 :            :  *   credentials should remain valid. Specify GSS_C_INDEFINITE to
      35                 :            :  *   request that the credentials have the maximum permitted lifetime.
      36                 :            :  * @desired_mechs: (Set of Object IDs, read, optional) Set of
      37                 :            :  *   underlying security mechanisms that may be used.
      38                 :            :  *   GSS_C_NO_OID_SET may be used to obtain an implementation-specific
      39                 :            :  *   default.
      40                 :            :  * @cred_usage: (gss_cred_usage_t, read) GSS_C_BOTH - Credentials may
      41                 :            :  *   be used either to initiate or accept security contexts.
      42                 :            :  *   GSS_C_INITIATE - Credentials will only be used to initiate
      43                 :            :  *   security contexts.  GSS_C_ACCEPT - Credentials will only be used
      44                 :            :  *   to accept security contexts.
      45                 :            :  * @output_cred_handle: (gss_cred_id_t, modify) The returned
      46                 :            :  *   credential handle.  Resources associated with this credential
      47                 :            :  *   handle must be released by the application after use with a call
      48                 :            :  *   to gss_release_cred().
      49                 :            :  * @actual_mechs: (Set of Object IDs, modify, optional) The set of
      50                 :            :  *   mechanisms for which the credential is valid.  Storage associated
      51                 :            :  *   with the returned OID-set must be released by the application
      52                 :            :  *   after use with a call to gss_release_oid_set().  Specify NULL if
      53                 :            :  *   not required.
      54                 :            :  * @time_rec: (Integer, modify, optional) Actual number of seconds for
      55                 :            :  *   which the returned credentials will remain valid.  If the
      56                 :            :  *   implementation does not support expiration of credentials, the
      57                 :            :  *   value GSS_C_INDEFINITE will be returned. Specify NULL if not
      58                 :            :  *   required.
      59                 :            :  *
      60                 :            :  * Allows an application to acquire a handle for a pre-existing
      61                 :            :  * credential by name.  GSS-API implementations must impose a local
      62                 :            :  * access-control policy on callers of this routine to prevent
      63                 :            :  * unauthorized callers from acquiring credentials to which they are
      64                 :            :  * not entitled.  This routine is not intended to provide a "login to
      65                 :            :  * the network" function, as such a function would involve the
      66                 :            :  * creation of new credentials rather than merely acquiring a handle
      67                 :            :  * to existing credentials.  Such functions, if required, should be
      68                 :            :  * defined in implementation-specific extensions to the API.
      69                 :            :  *
      70                 :            :  * If desired_name is GSS_C_NO_NAME, the call is interpreted as a
      71                 :            :  * request for a credential handle that will invoke default behavior
      72                 :            :  * when passed to gss_init_sec_context() (if cred_usage is
      73                 :            :  * GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if
      74                 :            :  * cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).
      75                 :            :  *
      76                 :            :  * Mechanisms should honor the desired_mechs parameter, and return a
      77                 :            :  * credential that is suitable to use only with the requested
      78                 :            :  * mechanisms.  An exception to this is the case where one underlying
      79                 :            :  * credential element can be shared by multiple mechanisms; in this
      80                 :            :  * case it is permissible for an implementation to indicate all
      81                 :            :  * mechanisms with which the credential element may be used.  If
      82                 :            :  * desired_mechs is an empty set, behavior is undefined.
      83                 :            :  *
      84                 :            :  * This routine is expected to be used primarily by context acceptors,
      85                 :            :  * since implementations are likely to provide mechanism-specific ways
      86                 :            :  * of obtaining GSS-API initiator credentials from the system login
      87                 :            :  * process.  Some implementations may therefore not support the
      88                 :            :  * acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
      89                 :            :  * gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name
      90                 :            :  * produced by applying either gss_inquire_cred to a valid credential,
      91                 :            :  * or gss_inquire_context to an active context.
      92                 :            :  *
      93                 :            :  * If credential acquisition is time-consuming for a mechanism, the
      94                 :            :  * mechanism may choose to delay the actual acquisition until the
      95                 :            :  * credential is required (e.g. by gss_init_sec_context or
      96                 :            :  * gss_accept_sec_context).  Such mechanism-specific implementation
      97                 :            :  * decisions should be invisible to the calling application; thus a
      98                 :            :  * call of gss_inquire_cred immediately following the call of
      99                 :            :  * gss_acquire_cred must return valid credential data, and may
     100                 :            :  * therefore incur the overhead of a deferred credential acquisition.
     101                 :            :  *
     102                 :            :  * Return value:
     103                 :            :  *
     104                 :            :  * `GSS_S_COMPLETE`: Successful completion.
     105                 :            :  *
     106                 :            :  * `GSS_S_BAD_MECH`: Unavailable mechanism requested.
     107                 :            :  *
     108                 :            :  * `GSS_S_BAD_NAMETYPE`: Type contained within desired_name parameter
     109                 :            :  * is not supported.
     110                 :            :  *
     111                 :            :  * `GSS_S_BAD_NAME`: Value supplied for desired_name parameter is ill
     112                 :            :  * formed.
     113                 :            :  *
     114                 :            :  * `GSS_S_CREDENTIALS_EXPIRED`: The credentials could not be acquired
     115                 :            :  * Because they have expired.
     116                 :            :  *
     117                 :            :  * `GSS_S_NO_CRED`: No credentials were found for the specified name.
     118                 :            :  **/
     119                 :            : OM_uint32
     120                 :          1 : gss_acquire_cred (OM_uint32 * minor_status,
     121                 :            :                   const gss_name_t desired_name,
     122                 :            :                   OM_uint32 time_req,
     123                 :            :                   const gss_OID_set desired_mechs,
     124                 :            :                   gss_cred_usage_t cred_usage,
     125                 :            :                   gss_cred_id_t * output_cred_handle,
     126                 :            :                   gss_OID_set * actual_mechs, OM_uint32 * time_rec)
     127                 :            : {
     128                 :          1 :   _gss_mech_api_t mech = NULL;
     129                 :            :   OM_uint32 maj_stat;
     130                 :            : 
     131         [ -  + ]:          1 :   if (!output_cred_handle)
     132                 :          0 :     return GSS_S_NO_CRED | GSS_S_CALL_INACCESSIBLE_WRITE;
     133                 :            : 
     134         [ -  + ]:          1 :   if (desired_mechs != GSS_C_NO_OID_SET)
     135                 :            :     {
     136                 :            :       size_t i;
     137                 :            : 
     138                 :            :       /* Is the desired_mechs an OR or AND list?  I.e., if the OID set
     139                 :            :          contain several OIDs, MUST the credential work with all of
     140                 :            :          them?  Or just any of them?  The specification isn't entirely
     141                 :            :          clear on this, to me.  This implement an OR list, chosing the
     142                 :            :          first mechanism in the OID set we support.  We need more
     143                 :            :          information in meta.c to implement AND lists. */
     144                 :            : 
     145 [ #  # ][ #  # ]:          0 :       for (i = 0; mech == NULL && i < desired_mechs->count; i++)
     146                 :          0 :         mech = _gss_find_mech ((&desired_mechs->elements)[i]);
     147                 :            :     }
     148                 :            :   else
     149                 :          1 :     mech = _gss_find_mech (GSS_C_NO_OID);
     150                 :            : 
     151         [ -  + ]:          1 :   if (mech == NULL)
     152                 :            :     {
     153         [ #  # ]:          0 :       if (minor_status)
     154                 :          0 :         *minor_status = 0;
     155                 :          0 :       return GSS_S_BAD_MECH;
     156                 :            :     }
     157                 :            : 
     158                 :          1 :   *output_cred_handle = calloc (sizeof (**output_cred_handle), 1);
     159         [ -  + ]:          1 :   if (!*output_cred_handle)
     160                 :            :     {
     161         [ #  # ]:          0 :       if (minor_status)
     162                 :          0 :         *minor_status = ENOMEM;
     163                 :          0 :       return GSS_S_FAILURE;
     164                 :            :     }
     165                 :          1 :   (*output_cred_handle)->mech = mech->mech;
     166                 :            : 
     167                 :          1 :   maj_stat = mech->acquire_cred (minor_status,
     168                 :            :                                  desired_name,
     169                 :            :                                  time_req,
     170                 :            :                                  desired_mechs,
     171                 :            :                                  cred_usage,
     172                 :            :                                  output_cred_handle, actual_mechs, time_rec);
     173         [ -  + ]:          1 :   if (GSS_ERROR (maj_stat))
     174                 :            :     {
     175                 :          0 :       free (*output_cred_handle);
     176                 :          0 :       *output_cred_handle = GSS_C_NO_CREDENTIAL;
     177                 :          0 :       return maj_stat;
     178                 :            :     }
     179                 :            : 
     180                 :          1 :   return GSS_S_COMPLETE;
     181                 :            : }
     182                 :            : 
     183                 :            : /**
     184                 :            :  * gss_add_cred:
     185                 :            :  * @minor_status: (integer, modify) Mechanism specific status code.
     186                 :            :  * @input_cred_handle: (gss_cred_id_t, read, optional) The credential
     187                 :            :  *   to which a credential-element will be added.  If
     188                 :            :  *   GSS_C_NO_CREDENTIAL is specified, the routine will compose the
     189                 :            :  *   new credential based on default behavior (see text).
     190                 :            :  *   Note that, while the credential-handle is not modified by
     191                 :            :  *   gss_add_cred(), the underlying credential will be modified if
     192                 :            :  *   output_credential_handle is NULL.
     193                 :            :  * @desired_name: (gss_name_t, read.)  Name of principal whose
     194                 :            :  *   credential should be acquired.
     195                 :            :  * @desired_mech: (Object ID, read) Underlying security mechanism with
     196                 :            :  *   which the credential may be used.
     197                 :            :  * @cred_usage: (gss_cred_usage_t, read) GSS_C_BOTH - Credential may
     198                 :            :  *   be used either to initiate or accept security contexts.
     199                 :            :  *   GSS_C_INITIATE - Credential will only be used to initiate
     200                 :            :  *   security contexts.  GSS_C_ACCEPT - Credential will only be used
     201                 :            :  *   to accept security contexts.
     202                 :            :  * @initiator_time_req: (Integer, read, optional) number of seconds
     203                 :            :  *   that the credential should remain valid for initiating security
     204                 :            :  *   contexts.  This argument is ignored if the composed credentials
     205                 :            :  *   are of type GSS_C_ACCEPT.  Specify GSS_C_INDEFINITE to request
     206                 :            :  *   that the credentials have the maximum permitted initiator
     207                 :            :  *   lifetime.
     208                 :            :  * @acceptor_time_req: (Integer, read, optional) number of seconds
     209                 :            :  *   that the credential should remain valid for accepting security
     210                 :            :  *   contexts.  This argument is ignored if the composed credentials
     211                 :            :  *   are of type GSS_C_INITIATE.  Specify GSS_C_INDEFINITE to request
     212                 :            :  *   that the credentials have the maximum permitted initiator
     213                 :            :  *   lifetime.
     214                 :            :  * @output_cred_handle: (gss_cred_id_t, modify, optional) The returned
     215                 :            :  *   credential handle, containing the new credential-element and all
     216                 :            :  *   the credential-elements from input_cred_handle.  If a valid
     217                 :            :  *   pointer to a gss_cred_id_t is supplied for this parameter,
     218                 :            :  *   gss_add_cred creates a new credential handle containing all
     219                 :            :  *   credential-elements from the input_cred_handle and the newly
     220                 :            :  *   acquired credential-element; if NULL is specified for this
     221                 :            :  *   parameter, the newly acquired credential-element will be added to
     222                 :            :  *   the credential identified by input_cred_handle.  The resources
     223                 :            :  *   associated with any credential handle returned via this parameter
     224                 :            :  *   must be released by the application after use with a call to
     225                 :            :  *   gss_release_cred().
     226                 :            :  * @actual_mechs: (Set of Object IDs, modify, optional) The complete
     227                 :            :  *   set of mechanisms for which the new credential is valid.  Storage
     228                 :            :  *   for the returned OID-set must be freed by the application after
     229                 :            :  *   use with a call to gss_release_oid_set(). Specify NULL if not
     230                 :            :  *   required.
     231                 :            :  * @initiator_time_rec: (Integer, modify, optional) Actual number of
     232                 :            :  *   seconds for which the returned credentials will remain valid for
     233                 :            :  *   initiating contexts using the specified mechanism.  If the
     234                 :            :  *   implementation or mechanism does not support expiration of
     235                 :            :  *   credentials, the value GSS_C_INDEFINITE will be returned. Specify
     236                 :            :  *   NULL if not required
     237                 :            :  * @acceptor_time_rec: (Integer, modify, optional) Actual number of
     238                 :            :  *   seconds for which the returned credentials will remain valid for
     239                 :            :  *   accepting security contexts using the specified mechanism.  If
     240                 :            :  *   the implementation or mechanism does not support expiration of
     241                 :            :  *   credentials, the value GSS_C_INDEFINITE will be returned. Specify
     242                 :            :  *   NULL if not required
     243                 :            :  *
     244                 :            :  * Adds a credential-element to a credential.  The credential-element is
     245                 :            :  * identified by the name of the principal to which it refers.  GSS-API
     246                 :            :  * implementations must impose a local access-control policy on callers
     247                 :            :  * of this routine to prevent unauthorized callers from acquiring
     248                 :            :  * credential-elements to which they are not entitled. This routine is
     249                 :            :  * not intended to provide a "login to the network" function, as such a
     250                 :            :  * function would involve the creation of new mechanism-specific
     251                 :            :  * authentication data, rather than merely acquiring a GSS-API handle to
     252                 :            :  * existing data.  Such functions, if required, should be defined in
     253                 :            :  * implementation-specific extensions to the API.
     254                 :            :  *
     255                 :            :  * If desired_name is GSS_C_NO_NAME, the call is interpreted as a
     256                 :            :  * request to add a credential element that will invoke default behavior
     257                 :            :  * when passed to gss_init_sec_context() (if cred_usage is
     258                 :            :  * GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if
     259                 :            :  * cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).
     260                 :            :  *
     261                 :            :  * This routine is expected to be used primarily by context acceptors,
     262                 :            :  * since implementations are likely to provide mechanism-specific ways
     263                 :            :  * of obtaining GSS-API initiator credentials from the system login
     264                 :            :  * process.  Some implementations may therefore not support the
     265                 :            :  * acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
     266                 :            :  * gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name
     267                 :            :  * produced by applying either gss_inquire_cred to a valid credential,
     268                 :            :  * or gss_inquire_context to an active context.
     269                 :            :  *
     270                 :            :  * If credential acquisition is time-consuming for a mechanism, the
     271                 :            :  * mechanism may choose to delay the actual acquisition until the
     272                 :            :  * credential is required (e.g. by gss_init_sec_context or
     273                 :            :  * gss_accept_sec_context).  Such mechanism-specific implementation
     274                 :            :  * decisions should be invisible to the calling application; thus a call
     275                 :            :  * of gss_inquire_cred immediately following the call of gss_add_cred
     276                 :            :  * must return valid credential data, and may therefore incur the
     277                 :            :  * overhead of a deferred credential acquisition.
     278                 :            :  *
     279                 :            :  * This routine can be used to either compose a new credential
     280                 :            :  * containing all credential-elements of the original in addition to the
     281                 :            :  * newly-acquire credential-element, or to add the new credential-
     282                 :            :  * element to an existing credential. If NULL is specified for the
     283                 :            :  * output_cred_handle parameter argument, the new credential-element
     284                 :            :  * will be added to the credential identified by input_cred_handle; if a
     285                 :            :  * valid pointer is specified for the output_cred_handle parameter, a
     286                 :            :  * new credential handle will be created.
     287                 :            :  *
     288                 :            :  * If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle,
     289                 :            :  * gss_add_cred will compose a credential (and set the
     290                 :            :  * output_cred_handle parameter accordingly) based on default behavior.
     291                 :            :  * That is, the call will have the same effect as if the application had
     292                 :            :  * first made a call to gss_acquire_cred(), specifying the same usage
     293                 :            :  * and passing GSS_C_NO_NAME as the desired_name parameter to obtain an
     294                 :            :  * explicit credential handle embodying default behavior, passed this
     295                 :            :  * credential handle to gss_add_cred(), and finally called
     296                 :            :  * gss_release_cred() on the first credential handle.
     297                 :            :  *
     298                 :            :  * If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle
     299                 :            :  * parameter, a non-NULL output_cred_handle must be supplied.
     300                 :            :  *
     301                 :            :  * Return value:
     302                 :            :  *
     303                 :            :  * `GSS_S_COMPLETE`: Successful completion.
     304                 :            :  *
     305                 :            :  * `GSS_S_BAD_MECH`: Unavailable mechanism requested.
     306                 :            :  *
     307                 :            :  * `GSS_S_BAD_NAMETYPE`: Type contained within desired_name parameter
     308                 :            :  * is not supported.
     309                 :            :  *
     310                 :            :  * `GSS_S_BAD_NAME`: Value supplied for desired_name parameter is
     311                 :            :  * ill-formed.
     312                 :            :  *
     313                 :            :  * `GSS_S_DUPLICATE_ELEMENT`: The credential already contains an
     314                 :            :  * element for the requested mechanism with overlapping usage and
     315                 :            :  * validity period.
     316                 :            :  *
     317                 :            :  * `GSS_S_CREDENTIALS_EXPIRED`: The required credentials could not be
     318                 :            :  * added because they have expired.
     319                 :            :  *
     320                 :            :  * `GSS_S_NO_CRED`: No credentials were found for the specified name.
     321                 :            :  **/
     322                 :            : OM_uint32
     323                 :          0 : gss_add_cred (OM_uint32 * minor_status,
     324                 :            :               const gss_cred_id_t input_cred_handle,
     325                 :            :               const gss_name_t desired_name,
     326                 :            :               const gss_OID desired_mech,
     327                 :            :               gss_cred_usage_t cred_usage,
     328                 :            :               OM_uint32 initiator_time_req,
     329                 :            :               OM_uint32 acceptor_time_req,
     330                 :            :               gss_cred_id_t * output_cred_handle,
     331                 :            :               gss_OID_set * actual_mechs,
     332                 :            :               OM_uint32 * initiator_time_rec, OM_uint32 * acceptor_time_rec)
     333                 :            : {
     334                 :          0 :   return GSS_S_UNAVAILABLE;
     335                 :            : }
     336                 :            : 
     337                 :            : /**
     338                 :            :  * gss_inquire_cred:
     339                 :            :  * @minor_status: (integer, modify) Mechanism specific status code.
     340                 :            :  * @cred_handle: (gss_cred_id_t, read) A handle that refers to the
     341                 :            :  *   target credential.  Specify GSS_C_NO_CREDENTIAL to inquire about
     342                 :            :  *   the default initiator principal.
     343                 :            :  * @name: (gss_name_t, modify, optional) The name whose identity the
     344                 :            :  *   credential asserts.  Storage associated with this name should be
     345                 :            :  *   freed by the application after use with a call to
     346                 :            :  *   gss_release_name().  Specify NULL if not required.
     347                 :            :  * @lifetime: (Integer, modify, optional) The number of seconds for
     348                 :            :  *   which the credential will remain valid.  If the credential has
     349                 :            :  *   expired, this parameter will be set to zero.  If the
     350                 :            :  *   implementation does not support credential expiration, the value
     351                 :            :  *   GSS_C_INDEFINITE will be returned.  Specify NULL if not required.
     352                 :            :  * @cred_usage: (gss_cred_usage_t, modify, optional) How the
     353                 :            :  *   credential may be used.  One of the following: GSS_C_INITIATE,
     354                 :            :  *   GSS_C_ACCEPT, GSS_C_BOTH. Specify NULL if not required.
     355                 :            :  * @mechanisms: (gss_OID_set, modify, optional) Set of mechanisms
     356                 :            :  *   supported by the credential.  Storage associated with this OID
     357                 :            :  *   set must be freed by the application after use with a call to
     358                 :            :  *   gss_release_oid_set().  Specify NULL if not required.
     359                 :            :  *
     360                 :            :  * Obtains information about a credential.
     361                 :            :  *
     362                 :            :  * Return value:
     363                 :            :  *
     364                 :            :  * `GSS_S_COMPLETE`: Successful completion.
     365                 :            :  *
     366                 :            :  * `GSS_S_NO_CRED`: The referenced credentials could not be accessed.
     367                 :            :  *
     368                 :            :  * `GSS_S_DEFECTIVE_CREDENTIAL`: The referenced credentials were invalid.
     369                 :            :  *
     370                 :            :  * `GSS_S_CREDENTIALS_EXPIRED`: The referenced credentials have
     371                 :            :  * expired.  If the lifetime parameter was not passed as NULL, it will
     372                 :            :  * be set to 0.
     373                 :            :  **/
     374                 :            : OM_uint32
     375                 :          0 : gss_inquire_cred (OM_uint32 * minor_status,
     376                 :            :                   const gss_cred_id_t cred_handle,
     377                 :            :                   gss_name_t * name,
     378                 :            :                   OM_uint32 * lifetime,
     379                 :            :                   gss_cred_usage_t * cred_usage, gss_OID_set * mechanisms)
     380                 :            : {
     381                 :          0 :   gss_cred_id_t credh = cred_handle;
     382                 :            :   _gss_mech_api_t mech;
     383                 :            :   OM_uint32 maj_stat;
     384                 :            : 
     385         [ #  # ]:          0 :   if (cred_handle == GSS_C_NO_CREDENTIAL)
     386                 :            :     {
     387                 :          0 :       maj_stat = gss_acquire_cred (minor_status, GSS_C_NO_NAME,
     388                 :            :                                    GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
     389                 :            :                                    GSS_C_INITIATE, &credh, NULL, NULL);
     390         [ #  # ]:          0 :       if (GSS_ERROR (maj_stat))
     391                 :          0 :         return maj_stat;
     392                 :            :     }
     393                 :            : 
     394                 :          0 :   mech = _gss_find_mech (credh->mech);
     395         [ #  # ]:          0 :   if (mech == NULL)
     396                 :            :     {
     397         [ #  # ]:          0 :       if (minor_status)
     398                 :          0 :         *minor_status = 0;
     399                 :          0 :       return GSS_S_BAD_MECH;
     400                 :            :     }
     401                 :            : 
     402                 :          0 :   maj_stat = mech->inquire_cred (minor_status, credh, name, lifetime,
     403                 :            :                                  cred_usage, mechanisms);
     404                 :            : 
     405         [ #  # ]:          0 :   if (cred_handle == GSS_C_NO_CREDENTIAL)
     406                 :          0 :     gss_release_cred (NULL, &credh);
     407                 :            : 
     408                 :          0 :   return maj_stat;
     409                 :            : }
     410                 :            : 
     411                 :            : /**
     412                 :            :  * gss_inquire_cred_by_mech:
     413                 :            :  * @minor_status: (Integer, modify) Mechanism specific status code.
     414                 :            :  * @cred_handle: (gss_cred_id_t, read) A handle that refers to the
     415                 :            :  *   target credential.  Specify GSS_C_NO_CREDENTIAL to inquire about
     416                 :            :  *   the default initiator principal.
     417                 :            :  * @mech_type: (gss_OID, read) The mechanism for which information
     418                 :            :  *  should be returned.
     419                 :            :  * @name: (gss_name_t, modify, optional) The name whose identity the
     420                 :            :  *   credential asserts.  Storage associated with this name must be
     421                 :            :  *   freed by the application after use with a call to
     422                 :            :  *   gss_release_name().  Specify NULL if not required.
     423                 :            :  * @initiator_lifetime: (Integer, modify, optional) The number of
     424                 :            :  *   seconds for which the credential will remain capable of
     425                 :            :  *   initiating security contexts under the specified mechanism.  If
     426                 :            :  *   the credential can no longer be used to initiate contexts, or if
     427                 :            :  *   the credential usage for this mechanism is GSS_C_ACCEPT, this
     428                 :            :  *   parameter will be set to zero.  If the implementation does not
     429                 :            :  *   support expiration of initiator credentials, the value
     430                 :            :  *   GSS_C_INDEFINITE will be returned.  Specify NULL if not required.
     431                 :            :  * @acceptor_lifetime: (Integer, modify, optional) The number of
     432                 :            :  *   seconds for which the credential will remain capable of accepting
     433                 :            :  *   security contexts under the specified mechanism.  If the
     434                 :            :  *   credential can no longer be used to accept contexts, or if the
     435                 :            :  *   credential usage for this mechanism is GSS_C_INITIATE, this
     436                 :            :  *   parameter will be set to zero.  If the implementation does not
     437                 :            :  *   support expiration of acceptor credentials, the value
     438                 :            :  *   GSS_C_INDEFINITE will be returned.  Specify NULL if not required.
     439                 :            :  * @cred_usage: (gss_cred_usage_t, modify, optional) How the
     440                 :            :  *   credential may be used with the specified mechanism.  One of the
     441                 :            :  *   following: GSS_C_INITIATE, GSS_C_ACCEPT, GSS_C_BOTH. Specify NULL
     442                 :            :  *   if not required.
     443                 :            :  *
     444                 :            :  * Obtains per-mechanism information about a credential.
     445                 :            :  *
     446                 :            :  * Return value:
     447                 :            :  *
     448                 :            :  * `GSS_S_COMPLETE`: Successful completion.
     449                 :            :  *
     450                 :            :  * `GSS_S_NO_CRED`: The referenced credentials could not be accessed.
     451                 :            :  *
     452                 :            :  * `GSS_S_DEFECTIVE_CREDENTIAL`: The referenced credentials were invalid.
     453                 :            :  *
     454                 :            :  * `GSS_S_CREDENTIALS_EXPIRED`: The referenced credentials have
     455                 :            :  * expired.  If the lifetime parameter was not passed as NULL, it will
     456                 :            :  * be set to 0.
     457                 :            :  **/
     458                 :            : OM_uint32
     459                 :          0 : gss_inquire_cred_by_mech (OM_uint32 * minor_status,
     460                 :            :                           const gss_cred_id_t cred_handle,
     461                 :            :                           const gss_OID mech_type,
     462                 :            :                           gss_name_t * name,
     463                 :            :                           OM_uint32 * initiator_lifetime,
     464                 :            :                           OM_uint32 * acceptor_lifetime,
     465                 :            :                           gss_cred_usage_t * cred_usage)
     466                 :            : {
     467                 :            :   _gss_mech_api_t mech;
     468                 :          0 :   gss_cred_id_t credh = cred_handle;
     469                 :            :   OM_uint32 maj_stat;
     470                 :            : 
     471         [ #  # ]:          0 :   if (mech_type == GSS_C_NO_OID)
     472                 :            :     {
     473         [ #  # ]:          0 :       if (minor_status)
     474                 :          0 :         *minor_status = 0;
     475                 :          0 :       return GSS_S_BAD_MECH;
     476                 :            :     }
     477                 :            : 
     478                 :          0 :   mech = _gss_find_mech (mech_type);
     479         [ #  # ]:          0 :   if (mech == NULL)
     480                 :            :     {
     481         [ #  # ]:          0 :       if (minor_status)
     482                 :          0 :         *minor_status = 0;
     483                 :          0 :       return GSS_S_BAD_MECH;
     484                 :            :     }
     485                 :            : 
     486         [ #  # ]:          0 :   if (cred_handle == GSS_C_NO_CREDENTIAL)
     487                 :            :     {
     488                 :          0 :       maj_stat = gss_acquire_cred (minor_status,
     489                 :            :                                    GSS_C_NO_NAME, GSS_C_INDEFINITE,
     490                 :            :                                    /* FIXME: We should create an OID
     491                 :            :                                       set with mech_type and pass it
     492                 :            :                                       as desired_mechs.  Maybe even
     493                 :            :                                       check actual_mechs too. */
     494                 :            :                                    GSS_C_NO_OID_SET,
     495                 :            :                                    GSS_C_INITIATE, &credh, NULL, NULL);
     496         [ #  # ]:          0 :       if (GSS_ERROR (maj_stat))
     497                 :          0 :         return maj_stat;
     498                 :            :     }
     499                 :            : 
     500                 :          0 :   maj_stat = mech->inquire_cred_by_mech (minor_status, credh, mech_type, name,
     501                 :            :                                          initiator_lifetime,
     502                 :            :                                          acceptor_lifetime, cred_usage);
     503                 :            : 
     504         [ #  # ]:          0 :   if (cred_handle == GSS_C_NO_CREDENTIAL)
     505                 :          0 :     gss_release_cred (NULL, &credh);
     506                 :            : 
     507                 :          0 :   return maj_stat;
     508                 :            : }
     509                 :            : 
     510                 :            : /**
     511                 :            :  * gss_release_cred:
     512                 :            :  * @minor_status: (Integer, modify) Mechanism specific status code.
     513                 :            :  * @cred_handle: (gss_cred_id_t, modify, optional) Opaque handle
     514                 :            :  *   identifying credential to be released.  If GSS_C_NO_CREDENTIAL is
     515                 :            :  *   supplied, the routine will complete successfully, but will do
     516                 :            :  *   nothing.
     517                 :            :  *
     518                 :            :  * Informs GSS-API that the specified credential handle is no longer
     519                 :            :  * required by the application, and frees associated resources.  The
     520                 :            :  * cred_handle is set to GSS_C_NO_CREDENTIAL on successful completion
     521                 :            :  * of this call.
     522                 :            :  *
     523                 :            :  * Return value:
     524                 :            :  *
     525                 :            :  * `GSS_S_COMPLETE`: Successful completion.
     526                 :            :  *
     527                 :            :  * `GSS_S_NO_CRED`: Credentials could not be accessed.
     528                 :            :  **/
     529                 :            : OM_uint32
     530                 :          1 : gss_release_cred (OM_uint32 * minor_status, gss_cred_id_t * cred_handle)
     531                 :            : {
     532                 :            :   _gss_mech_api_t mech;
     533                 :            :   OM_uint32 maj_stat;
     534                 :            : 
     535         [ -  + ]:          1 :   if (!cred_handle)
     536                 :            :     {
     537         [ #  # ]:          0 :       if (minor_status)
     538                 :          0 :         *minor_status = 0;
     539                 :          0 :       return GSS_S_NO_CRED | GSS_S_CALL_INACCESSIBLE_READ;
     540                 :            :     }
     541                 :            : 
     542         [ -  + ]:          1 :   if (*cred_handle == GSS_C_NO_CREDENTIAL)
     543                 :            :     {
     544         [ #  # ]:          0 :       if (minor_status)
     545                 :          0 :         *minor_status = 0;
     546                 :          0 :       return GSS_S_COMPLETE;
     547                 :            :     }
     548                 :            : 
     549                 :          1 :   mech = _gss_find_mech ((*cred_handle)->mech);
     550         [ -  + ]:          1 :   if (mech == NULL)
     551                 :            :     {
     552         [ #  # ]:          0 :       if (minor_status)
     553                 :          0 :         *minor_status = 0;
     554                 :          0 :       return GSS_S_DEFECTIVE_CREDENTIAL;
     555                 :            :     }
     556                 :            : 
     557                 :          1 :   maj_stat = mech->release_cred (minor_status, cred_handle);
     558                 :          1 :   free (*cred_handle);
     559                 :          1 :   *cred_handle = GSS_C_NO_CREDENTIAL;
     560         [ -  + ]:          1 :   if (GSS_ERROR (maj_stat))
     561                 :          0 :     return maj_stat;
     562                 :            : 
     563                 :          1 :   return GSS_S_COMPLETE;
     564                 :            : }

Generated by: LCOV version 1.8