krb5: port MIT Linux keyring credentials cache (#166)

.travis.yml

@@ -10,7 +10,7 @@ env:
 
 before_install:
     - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get update -qq; fi
-    - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev pkg-config python ss-dev texinfo unzip netbase; fi
+    - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils; fi
     - if [ $TRAVIS_OS_NAME = osx ]; then brew update; fi
     - if [ $TRAVIS_OS_NAME = osx ]; then brew install cpanm bison flex berkeley-db lmdb openldap openssl; fi
     - if [ $TRAVIS_OS_NAME = osx ]; then sudo cpanm install JSON; fi

configure.ac

@@ -349,6 +349,7 @@ AC_CHECK_HEADERS([\
 	fnmatch.h				\
 	inttypes.h				\
 	io.h					\
+	keyutils.h				\
 	libutil.h				\
 	limits.h				\
 	maillock.h				\
@@ -547,7 +548,28 @@ if test "$enable_kcm" = yes; then
 fi
 AM_CONDITIONAL(KCM, test "$enable_kcm" = yes)
 
+dnl detect keyring on Linux
+if test "$ac_cv_header_keyutils_h" = yes; then
+    AC_CHECK_SIZEOF([key_serial_t],,[
+	#ifdef HAVE_INTTYPES_H
+	#include <inttypes.h>
+	#endif
+	#ifdef HAVE_SYS_TYPES_H
+	#include <sys/types.h>
+	#endif
+	#include <keyutils.h>
+    ])
+fi
 
+AC_FIND_FUNC_NO_LIBS(add_key, keyutils)
+if test -n "$LIB_add_key"; then
+    saved_LIBS="$LIBS"
+    LIBS="$LIBS $LIB_add_key"
+    AC_CHECK_FUNCS(keyctl_get_persistent)
+    LIBS="$saved_LIBS"
+fi
+
+AC_CHECK_SIZEOF([time_t])
 
 dnl Cray stuff
 AC_CHECK_FUNCS(getudbnam setlim)

include/Makefile.am

@@ -67,6 +67,7 @@ CLEANFILES =			\
 	hx509.h			\
 	hx509_err.h		\
 	k524_err.h		\
+	k5e1_err.h		\
 	kafs.h			\
 	kcm-protos.h		\
 	kdc-private.h		\

include/config.h.w32

@@ -1425,6 +1425,13 @@ static const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Used with login -p */
 /* #undef LOGIN_ARGS */
 
+/* The size of `time_t', as computed by sizeof. */
+#if defined (_USE_64BIT_TIME_T) || !defined( _USE_32BIT_TIME_T)
+#define SIZEOF_TIME_T 8
+#else
+#define SIZEOF_TIME_T 4
+#endif
+
 #ifdef ROKEN_RENAME
 #include "roken_rename.h"
 #endif

lib/base/heimbase.h

@@ -451,6 +451,9 @@ void heim_w32_service_thread_detach(void *);
 #define heim_base_exchange_pointer(t,v) __sync_lock_test_and_set((t), (v))
 #endif
 
+#define heim_base_exchange_32(t,v)	heim_base_exchange_pointer((t), (v))
+#define heim_base_exchange_64(t,v)	heim_base_exchange_pointer((t), (v))
+
 #elif defined(__sun)
 
 #include <sys/atomic.h>
@@ -461,6 +464,8 @@ void heim_w32_service_thread_detach(void *);
 #define heim_base_atomic_max    UINT_MAX
 
 #define heim_base_exchange_pointer(t,v) atomic_swap_ptr((volatile void *)(t), (void *)(v))
+#define heim_base_exchange_32(t,v)	atomic_swap_32((volatile uint32_t *)(t), (v))
+#define heim_base_exchange_64(t,v)	atomic_swap_64((volatile uint64_t *)(t), (v))
 
 #elif defined(_AIX)
 
@@ -482,6 +487,28 @@ heim_base_exchange_pointer(void *p, void *newval)
     return val;
 }
 
+static inline uint32_t
+heim_base_exchange_32(uint32_t *p, uint32_t newval)
+{
+    uint32_t val = *p;
+
+    while (!compare_and_swap((atomic_p)p, (int *)&val, (int)newval))
+        ;
+
+    return val;
+}
+
+static inline uint64_t
+heim_base_exchange_64(uint64_t *p, uint64_t newval)
+{
+    uint64_t val = *p;
+
+    while (!compare_and_swaplp((atomic_l)p, (long *)&val, (long)newval))
+        ;
+
+    return val;
+}
+
 #elif defined(_WIN32)
 
 #define heim_base_atomic_inc(x) InterlockedIncrement(x)
@@ -490,6 +517,8 @@ heim_base_exchange_pointer(void *p, void *newval)
 #define heim_base_atomic_max    MAXLONG
 
 #define heim_base_exchange_pointer(t,v) InterlockedExchangePointer((PVOID volatile *)(t), (PVOID)(v))
+#define heim_base_exchange_32(t,v)	((ULONG)InterlockedExchange((LONG volatile *)(t), (LONG)(v)))
+#define heim_base_exchange_64(t,v)	((ULONG64)InterlockedExchange64((LONG64 violatile *)(t), (LONG64)(v)))
 
 #else
 
@@ -535,4 +564,12 @@ heim_base_exchange_pointer(void *target, void *value)
 
 #endif /* defined(__GNUC__) && defined(HAVE___SYNC_ADD_AND_FETCH) */
 
+#if SIZEOF_TIME_T == 8
+#define heim_base_exchange_time_t(t,v)	heim_base_exchange_64((t), (v))
+#elif SIZEOF_TIME_T == 4
+#define heim_base_exchange_time_t(t,v)	heim_base_exchange_32((t), (v))
+#else
+#error set SIZEOF_TIME_T for your platform
+#endif
+
 #endif /* HEIM_BASE_H */

lib/krb5/Makefile.am

@@ -79,6 +79,7 @@ libkrb5_la_LIBADD = \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
 	$(PTHREAD_LIBADD) \
+	$(LIB_add_key) \
 	$(LIB_door_create) \
 	$(LIB_dlopen)
 
@@ -93,12 +94,13 @@ librfc3961_la_LIBADD = \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
 	$(PTHREAD_LIBADD) \
+	$(LIB_add_key) \
 	$(LIB_door_create) \
 	$(LIB_dlopen)
 
 lib_LTLIBRARIES = libkrb5.la
 
-ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c
+ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c k5e1_err.c
 
 libkrb5_la_CPPFLAGS = \
 	-DBUILD_KRB5_LIB \
@@ -183,6 +185,7 @@ dist_libkrb5_la_SOURCES =			\
 	keytab_memory.c				\
 	krb5_locl.h				\
 	krb5-v4compat.h				\
+	krcache.c				\
 	krbhst.c				\
 	kuserok.c				\
 	kuserok_plugin.h			\
@@ -276,7 +279,7 @@ ALL_OBJECTS += $(test_renew_OBJECTS)
 ALL_OBJECTS += $(test_rfc3961_OBJECTS)
 
 $(ALL_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
-$(ALL_OBJECTS): krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h
+$(ALL_OBJECTS): krb5_err.h heim_err.h k524_err.h k5e1_err.h krb_err.h k524_err.h
 
 librfc3961_la_SOURCES =				\
 	crc.c					\
@@ -380,7 +383,7 @@ dist_include_HEADERS = \
 noinst_HEADERS = $(srcdir)/krb5-private.h
 
 
-nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h
+nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h k5e1_err.h
 
 # XXX use nobase_include_HEADERS = krb5/locate_plugin.h
 krb5dir = $(includedir)/krb5
@@ -396,9 +399,10 @@ CLEANFILES = \
 	krb5_err.c krb5_err.h \
 	krb_err.c krb_err.h \
 	heim_err.c heim_err.h \
-	k524_err.c k524_err.h
+	k524_err.c k524_err.h \
+	k5e1_err.c k5e1_err.h
 
-$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
+$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h k5e1_err.h
 
 test_config_strings.out: test_config_strings.cfg
 	$(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out
@@ -413,6 +417,7 @@ EXTRA_DIST = \
 	krb_err.et \
 	heim_err.et \
 	k524_err.et \
+	k5e1_err.et \
 	$(man_MANS) \
 	version-script.map \
 	test_config_strings.cfg \
@@ -429,3 +434,5 @@ krb_err.h: krb_err.et
 heim_err.h: heim_err.et
 
 k524_err.h: k524_err.et
+
+k5e1_err.h: k5e1_err.et

lib/krb5/NTMakefile

@@ -166,11 +166,13 @@ libkrb5_gen_OBJS=	    \
 	$(OBJ)\krb5_err.obj \
 	$(OBJ)\krb_err.obj  \
 	$(OBJ)\heim_err.obj \
-	$(OBJ)\k524_err.obj
+	$(OBJ)\k524_err.obj \
+	$(OBJ)\k5e1_err.obj
 
 INCFILES=			\
 	$(INCDIR)\heim_err.h	\
 	$(INCDIR)\k524_err.h	\
+	$(INCDIR)\k5e1_err.h	\
         $(INCDIR)\kcm.h         \
 	$(INCDIR)\krb_err.h	\
 	$(INCDIR)\krb5.h	\
@@ -346,6 +348,11 @@ $(OBJ)\k524_err.c $(OBJ)\k524_err.h: k524_err.et
 	$(BINDIR)\compile_et.exe $(SRCDIR)\k524_err.et
 	cd $(SRCDIR)
 
+$(OBJ)\k5e1_err.c $(OBJ)\k5e1_err.h: k5e1_err.et
+	cd $(OBJ)
+	$(BINDIR)\compile_et.exe $(SRCDIR)\k5e1_err.et
+	cd $(SRCDIR)
+
 #----------------------------------------------------------------------
 # libkrb5
 

lib/krb5/constants.c

@@ -64,3 +64,4 @@ KRB5_LIB_VARIABLE const char *krb5_cc_type_memory = "MEMORY";
 KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm = "KCM";
 KRB5_LIB_VARIABLE const char *krb5_cc_type_scc = "SCC";
 KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc = "DIR";
+KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring = "KEYRING";

lib/krb5/context.c

@@ -290,6 +290,9 @@ cc_ops_register(krb5_context context)
     krb5_cc_register(context, &krb5_akcm_ops, TRUE);
 #endif
     krb5_cc_register(context, &krb5_kcm_ops, TRUE);
+#endif
+#if defined(HAVE_KEYUTILS_H)
+    krb5_cc_register(context, &krb5_krcc_ops, TRUE);
 #endif
     _krb5_load_ccache_plugins(context);
     return 0;
@@ -1116,6 +1119,7 @@ krb5_init_ets(krb5_context context)
 	krb5_add_et_list(context, initialize_heim_error_table_r);
 
 	krb5_add_et_list(context, initialize_k524_error_table_r);
+	krb5_add_et_list(context, initialize_k5e1_error_table_r);
 
 #ifdef COM_ERR_BINDDOMAIN_krb5
 	bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);

lib/krb5/k5e1_err.et

@@ -0,0 +1,13 @@
+id "$Id$"
+
+error_table k5e1
+
+index 4
+
+prefix KRB5_DCC
+error_code CANNOT_CREATE,	"Can't create new subsidiary cache"
+
+prefix KRB5_KCC
+error_code INVALID_ANCHOR,	"Invalid keyring anchor name"
+error_code UNKNOWN_VERSION,	"Unknown keyring collection version"
+error_code INVALID_UID,		"Invalid UID in persistent keyring name"

lib/krb5/krb5.h

@@ -45,6 +45,7 @@
 #include <krb5_err.h>
 #include <heim_err.h>
 #include <k524_err.h>
+#include <k5e1_err.h>
 
 #include <krb5_asn1.h>
 
@@ -961,6 +962,7 @@ extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops;
+extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_krcc_ops;
 
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_fkt_ops;
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_wrfkt_ops;
@@ -975,6 +977,7 @@ extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory;
 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm;
 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
+extern KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring;
 
 #endif /* __KRB5_H__ */
 

lib/krb5/krb5_locl.h

@@ -142,6 +142,7 @@ struct _krb5_krb_auth_data;
 
 #include <krb5.h>
 #include <krb5_err.h>
+#include <k5e1_err.h>
 #include <asn1_err.h>
 #ifdef PKINIT
 #include <hx509.h>

lib/krb5/libkrb5-exports.def.in

@@ -717,6 +717,8 @@ EXPORTS
 	initialize_heim_error_table
 	initialize_k524_error_table_r
 	initialize_k524_error_table
+	initialize_k5e1_error_table_r
+	initialize_k5e1_error_table
 
         ; variables
 	krb5_mcc_ops            DATA
@@ -727,6 +729,9 @@ EXPORTS
 #endif
 #ifdef HAVE_KCM
 	krb5_kcm_ops            DATA
+#endif
+#ifdef HAVE_KEYUTILS
+	krb5_krcc_ops           DATA
 #endif
 	krb5_wrfkt_ops          DATA
 	krb5_mkt_ops            DATA
@@ -740,6 +745,7 @@ EXPORTS
 	krb5_cc_type_file       DATA
 	krb5_cc_type_memory     DATA
 	krb5_cc_type_kcm        DATA
+	krb5_cc_type_keyring    DATA
 	krb5_cc_type_scc        DATA
 
         ; Shared with GSSAPI krb5

lib/krb5/test_cc.c

@@ -391,6 +391,7 @@ test_cache_iter(krb5_context context, const char *type, int destroy)
 	krb5_principal principal;
 	char *name;
 
+	heim_assert(id != NULL, "credentials cache is non-NULL");
 	if (debug_flag)
 	    printf("name: %s\n", krb5_cc_get_name(context, id));
 	ret = krb5_cc_get_principal(context, id, &principal);
@@ -683,6 +684,9 @@ main(int argc, char **argv)
 #ifdef USE_SQLITE
     test_cache_remove(context, krb5_cc_type_scc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_cache_remove(context, krb5_cc_type_keyring);
+#endif
 
     test_default_name(context);
     test_mcache(context);
@@ -693,6 +697,9 @@ main(int argc, char **argv)
 #endif
     test_init_vs_destroy(context, krb5_cc_type_scc);
     test_init_vs_destroy(context, krb5_cc_type_dcc);
+#ifdef HAVE_KEYUTILS_H
+    test_init_vs_destroy(context, krb5_cc_type_keyring);
+#endif
     test_mcc_default();
     test_def_cc_name(context);
 
@@ -722,6 +729,10 @@ main(int argc, char **argv)
     test_cache_iter(context, krb5_cc_type_dcc, 0);
     test_cache_iter(context, krb5_cc_type_dcc, 1);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_cache_iter(context, krb5_cc_type_keyring, 0);
+    test_cache_iter(context, krb5_cc_type_keyring, 1);
+#endif
 
     test_copy(context, krb5_cc_type_file, krb5_cc_type_file);
     test_copy(context, krb5_cc_type_memory, krb5_cc_type_memory);
@@ -736,6 +747,34 @@ main(int argc, char **argv)
     test_copy(context, krb5_cc_type_dcc, krb5_cc_type_file);
     test_copy(context, krb5_cc_type_dcc, krb5_cc_type_scc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_copy(context, krb5_cc_type_keyring, krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, krb5_cc_type_file);
+    test_copy(context, "KEYRING:", "KEYRING:bar");
+    test_copy(context, "KEYRING:bar", "KEYRING:baz");
+# ifdef HAVE_KEYCTL_GET_PERSISTENT
+    test_copy(context, krb5_cc_type_file, "KEYRING:persistent");
+    test_copy(context, "KEYRING:persistent:", krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, "KEYRING:persistent:foo");
+    test_copy(context, "KEYRING:persistent:foo", krb5_cc_type_file);
+# endif
+    test_copy(context, krb5_cc_type_memory, "KEYRING:process:");
+    test_copy(context, "KEYRING:process:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:process:foo");
+    test_copy(context, "KEYRING:process:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:thread:");
+    test_copy(context, "KEYRING:thread:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:thread:foo");
+    test_copy(context, "KEYRING:thread:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:session:");
+    test_copy(context, "KEYRING:session:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:session:foo");
+    test_copy(context, "KEYRING:session:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_file, "KEYRING:user:");
+    test_copy(context, "KEYRING:user:", krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, "KEYRING:user:foo");
+    test_copy(context, "KEYRING:user:foo", krb5_cc_type_memory);
+#endif /* HAVE_KEYUTILS_H */
 
     test_move(context, krb5_cc_type_file);
     test_move(context, krb5_cc_type_memory);
@@ -746,6 +785,21 @@ main(int argc, char **argv)
 #if 0
     test_move(context, krb5_cc_type_dcc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_move(context, krb5_cc_type_keyring);
+# ifdef HAVE_KEYCTL_GET_PERSISTENT
+    test_move(context, "KEYRING:persistent:");
+    test_move(context, "KEYRING:persistent:foo");
+# endif
+    test_move(context, "KEYRING:process:");
+    test_move(context, "KEYRING:process:foo");
+    test_move(context, "KEYRING:thread:");
+    test_move(context, "KEYRING:thread:foo");
+    test_move(context, "KEYRING:session:");
+    test_move(context, "KEYRING:session:foo");
+    test_move(context, "KEYRING:user:");
+    test_move(context, "KEYRING:user:foo");
+#endif /* HAVE_KEYUTILS_H */
 
     test_prefix_ops(context, "FILE:/tmp/foo", &krb5_fcc_ops);
     test_prefix_ops(context, "FILE", &krb5_fcc_ops);
@@ -760,6 +814,10 @@ main(int argc, char **argv)
     test_prefix_ops(context, "DIR:", &krb5_dcc_ops);
     test_prefix_ops(context, "DIR:tkt1", &krb5_dcc_ops);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_prefix_ops(context, "KEYRING:", &krb5_krcc_ops);
+    test_prefix_ops(context, "KEYRING:foo", &krb5_krcc_ops);
+#endif /* HAVE_KEYUTILS_H */
 
     krb5_cc_destroy(context, id1);
     krb5_cc_destroy(context, id2);

lib/krb5/version-script.map

@@ -709,12 +709,15 @@ HEIMDAL_KRB5_2.0 {
 		initialize_heim_error_table;
 		initialize_k524_error_table_r;
 		initialize_k524_error_table;
+		initialize_k5e1_error_table_r;
+		initialize_k5e1_error_table;
 
 		# variables
 		krb5_dcc_ops;
 		krb5_mcc_ops;
 		krb5_acc_ops;
 		krb5_fcc_ops;
+		krb5_krcc_ops;
 		krb5_scc_ops;
 		krb5_kcm_ops;
 		krb5_wrfkt_ops;
@@ -730,6 +733,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cc_type_file;
 		krb5_cc_type_memory;
 		krb5_cc_type_kcm;
+		krb5_cc_type_keyring;
 		krb5_cc_type_scc;
 
 		# shared with HDB

packages/windows/sdk/NTMakefile

@@ -73,6 +73,7 @@ INCFILES=\
 	$(SDKINCDIR)\krb5\asn1_err.h	\
 	$(SDKINCDIR)\krb5\heim_err.h	\
 	$(SDKINCDIR)\krb5\k524_err.h	\
+	$(SDKINCDIR)\krb5\k5e1_err.h	\
 	$(SDKINCDIR)\krb5\krb5-protos.h	\
 	$(SDKINCDIR)\krb5\krb5-types.h	\
 	$(SDKINCDIR)\krb5\krb5-v4compat.h	\
@@ -105,6 +106,7 @@ INCFILES=\
 	$(SDKINCDIR)\heimdal\asn1_err.h	\
 	$(SDKINCDIR)\heimdal\heim_err.h	\
 	$(SDKINCDIR)\heimdal\k524_err.h	\
+	$(SDKINCDIR)\heimdal\k5e1_err.h	\
 	$(SDKINCDIR)\heimdal\krb5-protos.h	\
 	$(SDKINCDIR)\heimdal\krb5-types.h	\
 	$(SDKINCDIR)\heimdal\krb5-v4compat.h	\