krb5: port MIT Linux keyring credentials cache (#166)

2018-12-19 23:52:55 -08:00
parent 2e1304b9d5
commit fb81598d44
17 changed files with 2214 additions and 7 deletions
--- a/lib/krb5/Makefile.am
+++ b/lib/krb5/Makefile.am
@@ -79,6 +79,7 @@ libkrb5_la_LIBADD = \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
 	$(PTHREAD_LIBADD) \
+	$(LIB_add_key) \
 	$(LIB_door_create) \
 	$(LIB_dlopen)

@@ -93,12 +94,13 @@ librfc3961_la_LIBADD = \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
 	$(PTHREAD_LIBADD) \
+	$(LIB_add_key) \
 	$(LIB_door_create) \
 	$(LIB_dlopen)

 lib_LTLIBRARIES = libkrb5.la

-ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c
+ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c k5e1_err.c

 libkrb5_la_CPPFLAGS = \
 	-DBUILD_KRB5_LIB \
@@ -183,6 +185,7 @@ dist_libkrb5_la_SOURCES =			\
 	keytab_memory.c				\
 	krb5_locl.h				\
 	krb5-v4compat.h				\
+	krcache.c				\
 	krbhst.c				\
 	kuserok.c				\
 	kuserok_plugin.h			\
@@ -276,7 +279,7 @@ ALL_OBJECTS += $(test_renew_OBJECTS)
 ALL_OBJECTS += $(test_rfc3961_OBJECTS)

 $(ALL_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
-$(ALL_OBJECTS): krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h
+$(ALL_OBJECTS): krb5_err.h heim_err.h k524_err.h k5e1_err.h krb_err.h k524_err.h

 librfc3961_la_SOURCES =				\
 	crc.c					\
@@ -380,7 +383,7 @@ dist_include_HEADERS = \
 noinst_HEADERS = $(srcdir)/krb5-private.h


-nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h
+nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h k5e1_err.h

 # XXX use nobase_include_HEADERS = krb5/locate_plugin.h
 krb5dir = $(includedir)/krb5
@@ -396,9 +399,10 @@ CLEANFILES = \
 	krb5_err.c krb5_err.h \
 	krb_err.c krb_err.h \
 	heim_err.c heim_err.h \
-	k524_err.c k524_err.h
+	k524_err.c k524_err.h \
+	k5e1_err.c k5e1_err.h

-$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
+$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h k5e1_err.h

 test_config_strings.out: test_config_strings.cfg
 	$(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out
@@ -413,6 +417,7 @@ EXTRA_DIST = \
 	krb_err.et \
 	heim_err.et \
 	k524_err.et \
+	k5e1_err.et \
 	$(man_MANS) \
 	version-script.map \
 	test_config_strings.cfg \
@@ -429,3 +434,5 @@ krb_err.h: krb_err.et
 heim_err.h: heim_err.et

 k524_err.h: k524_err.et
+
+k5e1_err.h: k5e1_err.et
--- a/lib/krb5/NTMakefile
+++ b/lib/krb5/NTMakefile
@@ -166,11 +166,13 @@ libkrb5_gen_OBJS=	    \
 	$(OBJ)\krb5_err.obj \
 	$(OBJ)\krb_err.obj  \
 	$(OBJ)\heim_err.obj \
-	$(OBJ)\k524_err.obj
+	$(OBJ)\k524_err.obj \
+	$(OBJ)\k5e1_err.obj

 INCFILES=			\
 	$(INCDIR)\heim_err.h	\
 	$(INCDIR)\k524_err.h	\
+	$(INCDIR)\k5e1_err.h	\
        $(INCDIR)\kcm.h         \
 	$(INCDIR)\krb_err.h	\
 	$(INCDIR)\krb5.h	\
@@ -346,6 +348,11 @@ $(OBJ)\k524_err.c $(OBJ)\k524_err.h: k524_err.et
 	$(BINDIR)\compile_et.exe $(SRCDIR)\k524_err.et
 	cd $(SRCDIR)

+$(OBJ)\k5e1_err.c $(OBJ)\k5e1_err.h: k5e1_err.et
+	cd $(OBJ)
+	$(BINDIR)\compile_et.exe $(SRCDIR)\k5e1_err.et
+	cd $(SRCDIR)
+
 #----------------------------------------------------------------------
 # libkrb5

--- a/lib/krb5/constants.c
+++ b/lib/krb5/constants.c
@@ -64,3 +64,4 @@ KRB5_LIB_VARIABLE const char *krb5_cc_type_memory = "MEMORY";
 KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm = "KCM";
 KRB5_LIB_VARIABLE const char *krb5_cc_type_scc = "SCC";
 KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc = "DIR";
+KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring = "KEYRING";
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -290,6 +290,9 @@ cc_ops_register(krb5_context context)
    krb5_cc_register(context, &krb5_akcm_ops, TRUE);
 #endif
    krb5_cc_register(context, &krb5_kcm_ops, TRUE);
+#endif
+#if defined(HAVE_KEYUTILS_H)
+    krb5_cc_register(context, &krb5_krcc_ops, TRUE);
 #endif
    _krb5_load_ccache_plugins(context);
    return 0;
@@ -1116,6 +1119,7 @@ krb5_init_ets(krb5_context context)
 	krb5_add_et_list(context, initialize_heim_error_table_r);

 	krb5_add_et_list(context, initialize_k524_error_table_r);
+	krb5_add_et_list(context, initialize_k5e1_error_table_r);

 #ifdef COM_ERR_BINDDOMAIN_krb5
 	bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
--- a/lib/krb5/k5e1_err.et
+++ b/lib/krb5/k5e1_err.et
@@ -0,0 +1,13 @@
+id "$Id$"
+
+error_table k5e1
+
+index 4
+
+prefix KRB5_DCC
+error_code CANNOT_CREATE,	"Can't create new subsidiary cache"
+
+prefix KRB5_KCC
+error_code INVALID_ANCHOR,	"Invalid keyring anchor name"
+error_code UNKNOWN_VERSION,	"Unknown keyring collection version"
+error_code INVALID_UID,		"Invalid UID in persistent keyring name"
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -45,6 +45,7 @@
 #include <krb5_err.h>
 #include <heim_err.h>
 #include <k524_err.h>
+#include <k5e1_err.h>

 #include <krb5_asn1.h>

@@ -961,6 +962,7 @@ extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops;
+extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_krcc_ops;

 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_fkt_ops;
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_wrfkt_ops;
@@ -975,6 +977,7 @@ extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory;
 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm;
 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
+extern KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring;

 #endif /* __KRB5_H__ */

--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -142,6 +142,7 @@ struct _krb5_krb_auth_data;

 #include <krb5.h>
 #include <krb5_err.h>
+#include <k5e1_err.h>
 #include <asn1_err.h>
 #ifdef PKINIT
 #include <hx509.h>
--- a/lib/krb5/krcache.c
+++ b/lib/krb5/krcache.c
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -717,6 +717,8 @@ EXPORTS
 	initialize_heim_error_table
 	initialize_k524_error_table_r
 	initialize_k524_error_table
+	initialize_k5e1_error_table_r
+	initialize_k5e1_error_table

        ; variables
 	krb5_mcc_ops            DATA
@@ -727,6 +729,9 @@ EXPORTS
 #endif
 #ifdef HAVE_KCM
 	krb5_kcm_ops            DATA
+#endif
+#ifdef HAVE_KEYUTILS
+	krb5_krcc_ops           DATA
 #endif
 	krb5_wrfkt_ops          DATA
 	krb5_mkt_ops            DATA
@@ -740,6 +745,7 @@ EXPORTS
 	krb5_cc_type_file       DATA
 	krb5_cc_type_memory     DATA
 	krb5_cc_type_kcm        DATA
+	krb5_cc_type_keyring    DATA
 	krb5_cc_type_scc        DATA

        ; Shared with GSSAPI krb5
--- a/lib/krb5/test_cc.c
+++ b/lib/krb5/test_cc.c
@@ -391,6 +391,7 @@ test_cache_iter(krb5_context context, const char *type, int destroy)
 	krb5_principal principal;
 	char *name;

+	heim_assert(id != NULL, "credentials cache is non-NULL");
 	if (debug_flag)
 	    printf("name: %s\n", krb5_cc_get_name(context, id));
 	ret = krb5_cc_get_principal(context, id, &principal);
@@ -683,6 +684,9 @@ main(int argc, char **argv)
 #ifdef USE_SQLITE
    test_cache_remove(context, krb5_cc_type_scc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_cache_remove(context, krb5_cc_type_keyring);
+#endif

    test_default_name(context);
    test_mcache(context);
@@ -693,6 +697,9 @@ main(int argc, char **argv)
 #endif
    test_init_vs_destroy(context, krb5_cc_type_scc);
    test_init_vs_destroy(context, krb5_cc_type_dcc);
+#ifdef HAVE_KEYUTILS_H
+    test_init_vs_destroy(context, krb5_cc_type_keyring);
+#endif
    test_mcc_default();
    test_def_cc_name(context);

@@ -722,6 +729,10 @@ main(int argc, char **argv)
    test_cache_iter(context, krb5_cc_type_dcc, 0);
    test_cache_iter(context, krb5_cc_type_dcc, 1);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_cache_iter(context, krb5_cc_type_keyring, 0);
+    test_cache_iter(context, krb5_cc_type_keyring, 1);
+#endif

    test_copy(context, krb5_cc_type_file, krb5_cc_type_file);
    test_copy(context, krb5_cc_type_memory, krb5_cc_type_memory);
@@ -736,6 +747,34 @@ main(int argc, char **argv)
    test_copy(context, krb5_cc_type_dcc, krb5_cc_type_file);
    test_copy(context, krb5_cc_type_dcc, krb5_cc_type_scc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_copy(context, krb5_cc_type_keyring, krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, krb5_cc_type_file);
+    test_copy(context, "KEYRING:", "KEYRING:bar");
+    test_copy(context, "KEYRING:bar", "KEYRING:baz");
+# ifdef HAVE_KEYCTL_GET_PERSISTENT
+    test_copy(context, krb5_cc_type_file, "KEYRING:persistent");
+    test_copy(context, "KEYRING:persistent:", krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, "KEYRING:persistent:foo");
+    test_copy(context, "KEYRING:persistent:foo", krb5_cc_type_file);
+# endif
+    test_copy(context, krb5_cc_type_memory, "KEYRING:process:");
+    test_copy(context, "KEYRING:process:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:process:foo");
+    test_copy(context, "KEYRING:process:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:thread:");
+    test_copy(context, "KEYRING:thread:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:thread:foo");
+    test_copy(context, "KEYRING:thread:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:session:");
+    test_copy(context, "KEYRING:session:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:session:foo");
+    test_copy(context, "KEYRING:session:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_file, "KEYRING:user:");
+    test_copy(context, "KEYRING:user:", krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, "KEYRING:user:foo");
+    test_copy(context, "KEYRING:user:foo", krb5_cc_type_memory);
+#endif /* HAVE_KEYUTILS_H */

    test_move(context, krb5_cc_type_file);
    test_move(context, krb5_cc_type_memory);
@@ -746,6 +785,21 @@ main(int argc, char **argv)
 #if 0
    test_move(context, krb5_cc_type_dcc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_move(context, krb5_cc_type_keyring);
+# ifdef HAVE_KEYCTL_GET_PERSISTENT
+    test_move(context, "KEYRING:persistent:");
+    test_move(context, "KEYRING:persistent:foo");
+# endif
+    test_move(context, "KEYRING:process:");
+    test_move(context, "KEYRING:process:foo");
+    test_move(context, "KEYRING:thread:");
+    test_move(context, "KEYRING:thread:foo");
+    test_move(context, "KEYRING:session:");
+    test_move(context, "KEYRING:session:foo");
+    test_move(context, "KEYRING:user:");
+    test_move(context, "KEYRING:user:foo");
+#endif /* HAVE_KEYUTILS_H */

    test_prefix_ops(context, "FILE:/tmp/foo", &krb5_fcc_ops);
    test_prefix_ops(context, "FILE", &krb5_fcc_ops);
@@ -760,6 +814,10 @@ main(int argc, char **argv)
    test_prefix_ops(context, "DIR:", &krb5_dcc_ops);
    test_prefix_ops(context, "DIR:tkt1", &krb5_dcc_ops);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_prefix_ops(context, "KEYRING:", &krb5_krcc_ops);
+    test_prefix_ops(context, "KEYRING:foo", &krb5_krcc_ops);
+#endif /* HAVE_KEYUTILS_H */

    krb5_cc_destroy(context, id1);
    krb5_cc_destroy(context, id2);
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -709,12 +709,15 @@ HEIMDAL_KRB5_2.0 {
 		initialize_heim_error_table;
 		initialize_k524_error_table_r;
 		initialize_k524_error_table;
+		initialize_k5e1_error_table_r;
+		initialize_k5e1_error_table;

 		# variables
 		krb5_dcc_ops;
 		krb5_mcc_ops;
 		krb5_acc_ops;
 		krb5_fcc_ops;
+		krb5_krcc_ops;
 		krb5_scc_ops;
 		krb5_kcm_ops;
 		krb5_wrfkt_ops;
@@ -730,6 +733,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cc_type_file;
 		krb5_cc_type_memory;
 		krb5_cc_type_kcm;
+		krb5_cc_type_keyring;
 		krb5_cc_type_scc;

 		# shared with HDB